cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MITRE ATT&CK Technique Coverage

Bob_Bruce
Copper Contributor

‎Jan 20 2022 08:20 AM

‎Jan 20 2022 08:20 AM

MITRE ATT&CK Technique Coverage

Hi All,

I have been mapping our capabilities to the ATT&CK framework to be able to display coverage and where hot spots may exist. I am having a very difficult time finding any reference to what techniques 365 Defender covers. 

Does anyone know of a way to get this list from the console? I can export the alerts that have fired but I'm looking for a list of all that "could" fire, if that makes sense.

Thanks

2,008 Views
0 Likes
5 Replies
Reply
5 Replies
ReganDangerCarey

‎Apr 28 2022 04:53 PM

‎Apr 28 2022 04:53 PM

Re: MITRE ATT&CK Technique Coverage

I'm also interested and having a hard time finding this information. The incidents that come across into Sentinel also don't carry over the MITRE fields, so we can't even query based on that.
0 Likes
Reply
GerryMcCafferty

‎Apr 14 2023 05:15 AM

‎Apr 14 2023 05:15 AM

Re: MITRE ATT&CK Technique Coverage

Is there any update on this? I am particularly interested in mapping to the tactics \ techniques that tools such as Bloodhound and PingCastle highlight for Active Directory \ Azure Active Directory:
https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html
0 Likes
Reply
GerryMcCafferty

‎Jun 28 2023 04:00 AM

‎Jun 28 2023 04:00 AM

Re: MITRE ATT&CK Technique Coverage

Thanks for that Vytas, the KQL query is a great help to be able to report on what is there.

I think what Bob and I are both looking for is a way of comparing that with what is currently available to ensure everything is configured and switched on in the tenant?
0 Likes
Reply
Kris_Deb_e2e

‎Jul 26 2023 04:42 AM

‎Jul 26 2023 04:42 AM

Re: MITRE ATT&CK Technique Coverage

I'm also interested in any reference document about MITRE mapping vs M365 Defender, I am surprised that it looks like there is no such thing in official documentation already.
0 Likes
Reply